Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows11_x64 -
resource
win11 -
submitted
20-10-2021 08:42
Static task
static1
Behavioral task
behavioral1
Sample
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
Resource
win11
General
-
Target
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
-
Size
170KB
-
MD5
1bd7d1b87c5091a9653fe8005892b784
-
SHA1
3dcf19b833266a3591fd97c93e5b9bca4ac2c21c
-
SHA256
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703
-
SHA512
4c13373a150b1e3bd12fdd9ad5c379a43e41c59ba5b6dd6982c79599839128bcbde30d7083a810d66604382f4d5aff24c22b504fdaab03f6743a7dc263d85651
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
WayneEvenson@protonmail.com
WayneEvenson@tutanota.com
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 3948 created 4212 3948 WerFault.exe DllHost.exe PID 3372 created 4020 3372 WerFault.exe DllHost.exe PID 5828 created 3648 5828 WerFault.exe StartMenuExperienceHost.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt sihost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG3.TTF sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\th.pak sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Beta.msix.DATA sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Notifications\SoftLandingAssetLight.gif.DATA sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Trust Protection Lists\Mu\LICENSE sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\ne.pak sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Trust Protection Lists\Mu\Analytics.DATA sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White@3x.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\swiftshader\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Trust Protection Lists\Sigma\LICENSE.DATA sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELM sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\msedge_100_percent.pak.DATA sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\nl.pak.DATA sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\Trust Protection Lists\Mu\Entities sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.ELM sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_f_col.hxk sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\Locales\mr.pak sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\PREVIEW.GIF sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\tt.pak sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb sihost.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Locales\qu.pak.DATA sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\Locales\uk.pak sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Notifications\SoftLandingAssetDark.gif sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\mt.pak sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\RyukReadMe.txt sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5080 4212 WerFault.exe DllHost.exe 4948 4020 WerFault.exe DllHost.exe 6832 3648 WerFault.exe StartMenuExperienceHost.exe -
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Interacts with shadow copies 2 TTPs 8 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 16132 vssadmin.exe 17188 vssadmin.exe 17608 vssadmin.exe 22308 vssadmin.exe 45996 vssadmin.exe 8844 vssadmin.exe 13800 vssadmin.exe 14456 vssadmin.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
sihclient.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe -
Modifies registry class 3 IoCs
Processes:
StartMenuExperienceHost.exeRuntimeBroker.exesihost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{6D1AE8BB-DABA-4A89-8A00-370A8046B379} RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings sihost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeWerFault.exeWerFault.exeWerFault.exepid process 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe 4948 WerFault.exe 4948 WerFault.exe 5080 WerFault.exe 5080 WerFault.exe 6832 WerFault.exe 6832 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
svchost.exef130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exevssvc.exedescription pid process Token: SeSystemtimePrivilege 4540 svchost.exe Token: SeSystemtimePrivilege 4540 svchost.exe Token: SeIncBasePriorityPrivilege 4540 svchost.exe Token: SeDebugPrivilege 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe Token: SeBackupPrivilege 46028 vssvc.exe Token: SeRestorePrivilege 46028 vssvc.exe Token: SeAuditPrivilege 46028 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
sihost.exepid process 46056 sihost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 21676 StartMenuExperienceHost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
sihost.exepid process 2060 sihost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exeWerFault.exeWerFault.exeWerFault.exesihost.execmd.exedescription pid process target process PID 1416 wrote to memory of 1952 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe cmd.exe PID 1416 wrote to memory of 1952 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe cmd.exe PID 1416 wrote to memory of 2060 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe sihost.exe PID 1952 wrote to memory of 2472 1952 cmd.exe reg.exe PID 1952 wrote to memory of 2472 1952 cmd.exe reg.exe PID 1416 wrote to memory of 3052 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe svchost.exe PID 1416 wrote to memory of 3360 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe svchost.exe PID 1416 wrote to memory of 3636 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe SearchHost.exe PID 1416 wrote to memory of 3648 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe StartMenuExperienceHost.exe PID 1416 wrote to memory of 3744 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe RuntimeBroker.exe PID 1416 wrote to memory of 3880 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe svchost.exe PID 1416 wrote to memory of 3900 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe RuntimeBroker.exe PID 1416 wrote to memory of 4020 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe DllHost.exe PID 1416 wrote to memory of 4212 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe DllHost.exe PID 1416 wrote to memory of 4332 1416 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe smartscreen.exe PID 3948 wrote to memory of 4212 3948 WerFault.exe DllHost.exe PID 3948 wrote to memory of 4212 3948 WerFault.exe DllHost.exe PID 3372 wrote to memory of 4020 3372 WerFault.exe DllHost.exe PID 3372 wrote to memory of 4020 3372 WerFault.exe DllHost.exe PID 5828 wrote to memory of 3648 5828 WerFault.exe StartMenuExperienceHost.exe PID 5828 wrote to memory of 3648 5828 WerFault.exe StartMenuExperienceHost.exe PID 2060 wrote to memory of 45940 2060 sihost.exe cmd.exe PID 2060 wrote to memory of 45940 2060 sihost.exe cmd.exe PID 45940 wrote to memory of 45996 45940 cmd.exe vssadmin.exe PID 45940 wrote to memory of 45996 45940 cmd.exe vssadmin.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4020 -s 4442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\smartscreen.exeC:\Windows\System32\smartscreen.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4212 -s 8602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3648 -s 24962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv BJOrJJFaFUKh1w9S2mfmtA.01⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 4020 -ip 40201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 4212 -ip 42121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 3648 -ip 36481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$WinREAgent\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\$WinREAgent\Scratch\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\BOOTSECT.BAKMD5
99beb85853735c0adce0851c026c33b8
SHA1643cef3ce3d7f84166b0b64da7985d6da480fc22
SHA256bc0410068eb6a53949208e70a864073225f102e8cfc2cf7be2e26216f25a7cb8
SHA51214b155ff672bce0d2be0c52c4652c343395ff7a1e69934b63849ce4c2a9a71550756029c0ede149c0bf1b92ae4fb99e58c70f66616312f477e710feb4f23a269
-
C:\Boot\BCDMD5
8332a8bfb06d5c71d4a8818c4c4655ea
SHA1c766ca2fcbacf318b70f1f1f92484b47a36b2ffb
SHA256f7a7bb9342b4daefd8a3a38a610d26e042d711e9f15b8cc4c88605aef16a8a69
SHA512972fd6581695abb62cd5809630ef729e6d6b1eb73389be9217d67c88a05a227fe0c189d404848917d83391e83ad53d3204c812f3efa8e1d7cc45119dceb61db6
-
C:\Boot\BOOTSTAT.DATMD5
d53ce4ab24e5ae0802a2b7148f23ab2f
SHA176874b2af16b9291efab66f4f3fc8285e6fdbbea
SHA25696389eb2b49c00c67cc3445328260f8406d66119b9be6cc6cfe46d9a7190938f
SHA512564d3c82bde0b9899bf9e2ff44244f07b44e7e6d6c2328e2ea9454577e26205b433a4edb4a7d7c62a7e169b6b08fd0fbfa150edde0f2635471aaea361dec47a9
-
C:\Boot\Fonts\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\Resources\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\Resources\en-US\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\bg-BG\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\cs-CZ\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\da-DK\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\de-DE\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\el-GR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\en-GB\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\en-US\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\es-ES\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\es-MX\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\et-EE\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\fi-FI\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\fr-CA\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\fr-FR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\hr-HR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\hu-HU\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\it-IT\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ja-JP\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ko-KR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\lt-LT\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\lv-LV\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\nb-NO\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\nl-NL\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\pl-PL\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\pt-BR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\pt-PT\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\qps-ploc\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\qps-plocm\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ro-RO\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ru-RU\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sk-SK\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sl-SI\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sr-Latn-RS\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sv-SE\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\tr-TR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\uk-UA\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\zh-CN\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\zh-TW\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Documents and Settings\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\DumpStack.logMD5
39a0050e97d9a1a05100185003ee45ae
SHA1cc89794d956d30212d20326ee96fbd8731ee678a
SHA256372eff426aad06266564ddfc001c6cf0c8f848fba26b7114b0f98dcf5cadedc9
SHA5124c3e677459a76c11ac4e51da8f1587a68278e064a86dd41b7e70e12182827df2e71c3f46595b07dd5f44a47d1a4f17a6435b2b22530a01e41467ccf5d527633d
-
C:\PerfLogs\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLBMD5
73bc43b04041808db544c342c0e16b91
SHA1de1c1fffa753bbb5c77a6977c225fa7ab5bbf2b1
SHA2567f2ef44d7c3584c03d2537fca801a76663204268ed863721fd80f0a07a16deca
SHA512e9075c2760fdb729d7d1b6ad38d10ab86e22872326c14e1b3788d7cbf01cf7e3550c838081bb152737870918e313f71303cf4a88d1bf9fe35e2b38e366ce64ce
-
C:\Program Files\Common Files\DESIGNER\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_ff33445f-a36e-4a95-8e5f-bca99faf3ebdMD5
f5977f50354b0ae37c81e26b1742406c
SHA133de00e857806dc9ff233132e7d079b1cc325b26
SHA2569f07fcdb51915bab454927f8888bae38c2de9aa40693274907dac97b42e24663
SHA512cea131cb2fb7cf4f1d0cd49c87a3aeb6fdc4118ab6eb8244712c9f4459abb2ca22c1492100ddcc9fe1b06c8d78f11479e8459b9b380b2c6c731c034ef77f1bd3
-
C:\ProgramData\Microsoft\Network\Downloader\edb.logMD5
66f04df8bc42efab6cafe0c0da12882a
SHA1cbeea98cba4a89a7d6879f33feead78672323a51
SHA256dbd05321e75ca680d76e448ac157ca0e2d238134d4cd449940a26e40b5060220
SHA512445651c951a8d8d3d0337deee880164987209c3b1ed423902edab4c1db5decda1ba826e471c5848414da58b78d20fa5fc07f7a53ee7be294f5f7265c2b34169e
-
C:\ProgramData\Microsoft\Network\Downloader\qmgr.dbMD5
84eeafba7e4ff7be312fb21ea5e11e20
SHA18a4449ff0d89dba9ca1977f1647d2bcc034a5b09
SHA256a9762c50e934a30928712db71f152c9fa2c6d2bc0015cd220bb94c13094c45e4
SHA51264963cf72d7848ef4fee46e0b2e4e9a08e701ab54cbcd56d8e477c753a505b3a1932d8ff6d5200413df53148551743d0ae078bd945ed348056c9d6b80d6c76c9
-
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfmMD5
bd88e934d79580ac8d4d4b642105f337
SHA1f1156d2cc405070ecb5cc3d062be811cca2fd65f
SHA256d596c88037b43d19347776fccce2f0f9bd4b87023957ae1790110b5e6715311a
SHA51212ae762b0839f34a20b26a98d3d1b2a5e2bdaacd9608cabc141a8717619c524e10b08cfc8323bae68a18e2b314c705df71a1321d4096d1d90447841655e240fc
-
C:\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
18371c99a486432e92520b8e549f2d71
SHA10ff3eb4307d9270fe36797f1122e76b0df144e74
SHA256a13ac1e2425a6a604d720d151634f6216d70b71ea2bd4eb2da92bf24c9615087
SHA512dccc6db54c30657700abba9a8e3aab557b47151eeffcefb4c7686f44712f7b8b71746153e3898fe5df158bdec37fbcd4268664fe5b47fa5638d0b5adc2aff28c
-
C:\odt\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\odt\config.xmlMD5
3eb1c08d93155d982271b1811d6f2b72
SHA1808d1f2a2d0edf31a76261418c421b069a29ff34
SHA25662f91443c73505967fcddbc2c7ee716782dc023d60d871e311660a15d929895b
SHA5122e99a2c4664ebf90f46cae6484606568b41120105342aae3b4fe627f70a85461480e9088b22847d262a955f032a2fec26650dc817b9980e6846080c71e37f9e0
-
C:\users\Public\window.batMD5
d2aba3e1af80edd77e206cd43cfd3129
SHA13116da65d097708fad63a3b73d1c39bffa94cb01
SHA2568940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12
SHA5120059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec
-
memory/1952-149-0x0000000000000000-mapping.dmp
-
memory/2060-150-0x00007FF663140000-0x00007FF6634CE000-memory.dmpFilesize
3.6MB
-
memory/2472-151-0x0000000000000000-mapping.dmp
-
memory/3048-165-0x0000000000000000-mapping.dmp
-
memory/4604-234-0x0000022B56040000-0x0000022B56041000-memory.dmpFilesize
4KB
-
memory/4604-146-0x0000022B53AC0000-0x0000022B53AD0000-memory.dmpFilesize
64KB
-
memory/4604-233-0x0000022B56160000-0x0000022B56164000-memory.dmpFilesize
16KB
-
memory/4604-232-0x0000022B56160000-0x0000022B56161000-memory.dmpFilesize
4KB
-
memory/4604-231-0x0000022B56170000-0x0000022B56174000-memory.dmpFilesize
16KB
-
memory/4604-229-0x0000022B563F0000-0x0000022B563F1000-memory.dmpFilesize
4KB
-
memory/4604-148-0x0000022B56140000-0x0000022B56144000-memory.dmpFilesize
16KB
-
memory/4604-147-0x0000022B53B40000-0x0000022B53B50000-memory.dmpFilesize
64KB
-
memory/4604-228-0x0000022B56430000-0x0000022B56434000-memory.dmpFilesize
16KB
-
memory/8844-224-0x0000000000000000-mapping.dmp
-
memory/13800-225-0x0000000000000000-mapping.dmp
-
memory/14456-226-0x0000000000000000-mapping.dmp
-
memory/16132-227-0x0000000000000000-mapping.dmp
-
memory/17188-230-0x0000000000000000-mapping.dmp
-
memory/17608-235-0x0000000000000000-mapping.dmp
-
memory/19348-238-0x000001C067360000-0x000001C067362000-memory.dmpFilesize
8KB
-
memory/19348-237-0x000001C067360000-0x000001C067362000-memory.dmpFilesize
8KB
-
memory/19360-236-0x000002B61AD70000-0x000002B61AD72000-memory.dmpFilesize
8KB
-
memory/21676-156-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmpFilesize
8KB
-
memory/21676-164-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmpFilesize
8KB
-
memory/21676-163-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmpFilesize
8KB
-
memory/21676-157-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmpFilesize
8KB
-
memory/21676-155-0x00000218FF5E0000-0x00000218FF5E2000-memory.dmpFilesize
8KB
-
memory/45940-159-0x0000000000000000-mapping.dmp
-
memory/45996-161-0x0000000000000000-mapping.dmp